Abstract image of a woman sitting on books and studying on a laptop

NANOG 82: DNS Evolution

APNIC, profile picture
APNIC

The document discusses the vulnerabilities and challenges associated with the Domain Name System (DNS), including issues of privacy, tampering, and the complexity of implementing DNS security measures like DNSSEC. It outlines potential solutions to enhance DNS authenticity, improve application-level functions, and address information leaks, while acknowledging the hurdles in widespread adoption of these improvements. The future of DNS appears to be shifting towards more application-centric approaches that may prioritize privacy and tailored service responses over traditional network-centric methods.

Internet
1 of 38
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
DNS Evolution Geoff Huston AM APNIC Labs
https://xkcd.com/1361/
Why pick on the DNS? The DNS is used by everyone and everything • Because pretty much everything you do on the net starts with a call to the DNS • If we could see your stream of DNS queries in real time we could easily assemble a detailed profile of you and your interests and activities - as it happens!
Why pick on the DNS? The DNS is very easy to tap and tamper • DNS queries are open and unencrypted • DNS payloads are not secured and tampering cannot be readily detected • DNS responses are predictable and false answers can be injected
Why pick on the DNS? The DNS is hard for users to trace • Noone knows exactly where their queries go • Noone can know precisely where their answers come from
What are we doing about this? I’d like to look at this question by grouping our responses into three areas of activity: 1. Adding authenticity to the DNS 2. Increasing the reliance on the DNS for application level rendezvous functions 3. Plugging DNS information leaks
1. Adding authenticity to the DNS 2. Increasing the reliance on the DNS for application level rendezvous functions 3. Plugging DNS information leaks
How can you trust the DNS answer? • Send your query to the “right” IP address and you will get the “right answer! Or • Request a digital signature along with the DNS answer and validate the answer using a pre-provisioned trusted key (DNSSEC) 8
Is DNSSEC being used? • Yes and No! 9
Is DNSSEC being used? • Yes and No! 10 Who validates DNS responses?
Is DNSSEC being used? • Yes and No! 11 2014 2016 2018 2020 Who validates DNS responses? 25% of users are behind DNSSEC-validating resolvers who will not resolve a badly signed DNS name
Is DNSSEC being used? • Yes and No! 12 Who signs DNS Zones? Public data on the DNSSEC zone signing rate is hard to define, and even harder to come by! ?
Problems with DNSSEC 13 • Large DNS responses cause robustness issues for DNS • Getting large responses through the network has reliability issues with UDP packet fragmentation and timing issues with signalled cut-over to TCP • The validator has to perform a full backtrace query sequence to assemble the full DNSSEC signature chain • So the problem is that DNSSEC validation may entail a sequence of queries where each of the responses may require encounter UDP fragmentation packet loss
Some More Problems with DNSSEC 14 • Cryptographically “stronger” keys tend to be bigger keys over time, so the issue of cramming more data into DNS transactions is not going away! • The stub-to-recursive hop is generally not using validation, so the user ends up trusting the validating recursive resolver in any case • The current DNSSEC framework represents a lot of effort for only a marginal gain
Are we getting better at DNSSEC? There is still a lot of room to improve our DNSSEC story • Reducing validation-chain query delays using DNSSEC Chain responses? • Using “denser” crypto algorithms to limit key and signature sizes? • Using TCP for DNSSEC queries? • NSEC3? Really? • NSEC5? YMBK! 15
Authenticity in the DNS • DNSSEC Validation cannot not prevent DNS eavesdropping, interception or tampering – all it can do is withhold DNS responses that are not “genuine” • DNSSEC adoption is a trade-off in terms of additional costs of added points of fragility, added delay and load points balanced against the increased assurance of being able to place trust that the DNS responses are authentic 16
1. Adding authenticity to the DNS 2. Increasing the reliance on the DNS for application level rendezvous functions 3. Plugging DNS information leaks
It used to be so simple • Query the DNS with a service name • Get a response with the IP host address where the service is located • Use the application to negotiate a service with the addressed host • All services that share a common name share a common host 18
But we wanted more: • We wanted to make a distinction between the service name and the platform that hosted the service • We wanted to have different services accessible using the same service name • We wanted a collection of platforms to deliver the service associated with a single service name • We wanted to outsource different services to different service providers • We wanted to steer the user to the “right” service provider for each user • And we wanted it to be FAST! • The concept of “go anywhere first and get redirected to an optimal service delivery point” is considered to be not FAST 19
So we added Bells and Whistles • Put all of this optimisation into the DNS by: • Mapping the service names to host names • CNAME, DNAME and ANAME • None of these are very satisfactory! • The SRV record • This is either a swiss army knife or a chain saw massacre! • Add the service name (port) and protocol (transport) to the service name and use this as the query • And get the DNS response to come back with a collection of service delivery points • The Client Subnet query extension • Tag the query with the querier to permit tailoring of the service response in the DNS rather than in the application 20
More Bells (and Whistles!) • SVCB and HTTPSSVC Resource Records • The “mega” response that can provide Application Level Protocols, IPv4 and IPv6 addresses, ESNI key, priority • Oh, and yes, there is an “alias form” that allows alias mapping at a zone apex 21
It’s faster, but… • But as we add more instrumentation to the DNS, it becomes a generic rendezvous tool, where a client forms a query based on an intended service access and the DNS response provides a set of service connection parameters that is potentially tailored to optimise the delivered service • This means that real time knowledge of a user’s DNS queries is synonymous to knowledge of a user’s immediate intentions • Which means that the DNS privacy issues become even more critical 22
1. Adding authenticity to the DNS 2. Increasing the reliance on the DNS for application level rendezvous functions 3. Plugging DNS information leaks
Plugging the DNS leakage • Query Name Minimisation to reduce the extravagant chattiness of the DNS resolution process on the recursive to authoritative path • DNS over TLS on the stub to recursive path • Channel protection, remote end authentication and transport robustness • DNS over HTTPS (/3) on the stub to recursive path • Channel protection, remote end authentication, transport robustness and HTTP object semantics • Oblivious DNS over HTTPS (/3) on the stub to recursive path • Hide the implicit end point identity / query name association leakage 24
Coming soon? • Extending DNS channel protection to the recursive to authoritative hops (Although this may be tougher than it looks at first!) 25
Scaling with Encrypted Channels • Session level encryption involves session establishment and maintenance overhead • Typically this entails a TCP overhead (direction or within a QUIC envelope) and a TGLS overhead • This can be amortised through session reuse • Session reuse is most effective on the stub to recursive paths • The secure Web infrastructure points to ways that we can scale an encrypted DNS infrastructure, but the economics of the DNS are somewhat different than those of the web 26
Will all this be deployed? 27
Can we do this? • Pretty clearly we have most of the tools available to achieve all of these objectives • Leverage TLS to provide session level encryption • Leverage HTTPS to push stub resolution functions into applications • Use the DNS HTTPSSVC to provide the ESNI key • Yes we can! 28
Will we do this? • This is a far more challenging question! 29
If HTTPS worked, why not DoH? • Any change to the DNS that requires user configuration, or a change of CPE behaviour will not be easy to gather deployment momentum • There is no untapped financial return in DNS resolution, so this is not an activity that has strong commercial impetus • Many public environments use DNS oversight and alteration as a means of content moderation. There is little appetite to make that harder • Browser vendors have far more limited leverage in the DNS, as compared to content delivery over HTTP
The DNS Economy • In the public Internet, end clients don’t normally pay directly for DNS recursive resolution services • Which implies that outside of the domain of the local ISP, DNS resolvers are essentially unfunded by the resolver’s clients • And efforts to monetise the DNS with various forms of funded misdirection (such as NXDOMAIN substitution) are generally viewed with extreme disfavour • Open Resolver efforts run the risk of success-disaster • The more they are used, the greater the funding problem to run them at scale • The greater the funding problem the greater the temptation to monetise the DNS resolver function in more subtle ways
The DNS Economy • The default option is that the ISP funds and operate the recursive DNS service, funded by the ISP’s client base • 70% of all end clients use same-AS recursive resolvers * • However the fact that it works today does not mean that you can double the input costs and expect it to just keep on working tomorrow • For ISPs the DNS is a cost department, not a revenue source • We should expect strong resistance from ISPs to increase their costs in DNS service provision • The DNS is also highly resistant to changes in the edge infrastructure 32 * https://stats.labs.apnic.net/rvrs
Where is this heading? • Will any of these privacy approaches becomes mainstream in the public Internet?
My Opinion • ISP-based provisioning of DNS servers without channel encryption will continue to be the mainstream of the public DNS infrastructure • Most users don’t change their platform settings from the defaults and CPE based service provisioning in the wired networks and direct provisioning in mobile networks will persist
My Opinion • ISP-based provisioning of DNS servers without channel encryption will continue to be the mainstream of the public DNS infrastructure • Most users don’t change their platform settings from the defaults and CPE based service provisioning in the wired networks and direct provisioning in mobile networks will persist • But that’s not the full story...
“Split” DNS • Is appears more likely that applications who want to tailor their DNS use to adopt a more private profile will hive off to use DoH to an application-selected DNS service, while the platform itself will continue to use libraries that will default to DNS over UDP to the ISP- provided recursive DNS resolver • That way the application ecosystem can fund its own DNS privacy infrastructure and avoid waiting for everyone else to make the necessary infrastructure and service investments before they can adopt DNS privacy themselves • The prospect of application-specific naming services is a very real prospect in such a scenario
It’s life Jim, but not as we know it!* • The overall progression here is an evolution from network-centric services to platform-centric services to today’s world of application- centric services • It’s clear that the DNS is being swept up in this shift, and the DNS is changing in almost every respect • The future prospects of a single unified coherent name space as embodied in the DNS, as we currently know it, for the entire internet service domain are looking pretty poor right now! * With apologies to the Trekies!
Thanks!

More Related Content

PDF
RIPE 82: DNS Evolution
APNIC
 
PDF
RIPE 82: An Update on Fragmentation Loss Rates in IPv6
APNIC
 
PDF
RIPE 82: Measuring Recursive Resolver Centrality
APNIC
 
PDF
ICANN DNS Symposium 2021: Measuring Recursive Resolver Centrality
APNIC
 
PDF
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
Chika Yoshimura
 
PDF
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
APNIC
 
PDF
Thoughts about DNS for DDoS
APNIC
 
PPTX
bdNOG 7 - Re-engineering the DNS - one resolver at a time
APNIC
 
RIPE 82: DNS Evolution
APNIC
 
RIPE 82: An Update on Fragmentation Loss Rates in IPv6
APNIC
 
RIPE 82: Measuring Recursive Resolver Centrality
APNIC
 
ICANN DNS Symposium 2021: Measuring Recursive Resolver Centrality
APNIC
 
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
Chika Yoshimura
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
APNIC
 
Thoughts about DNS for DDoS
APNIC
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
APNIC
 

What's hot (20)

PDF
DNS-OARC 34: Measuring DNS Flag Day 2020
APNIC
 
PDF
Experience Using RIR Whois
APNIC
 
PDF
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
APNIC
 
PDF
RIPE 78: IPv6 reliability measurements
APNIC
 
PDF
VNIX-NOG 2021: IPv6 Deployment Update
APNIC
 
PPTX
IPv6 and the DNS, RIPE 73
APNIC
 
PDF
Rolling the Root Zone DNSSEC Key Signing Key
APNIC
 
PDF
BSides: BGP Hijacking and Secure Internet Routing
APNIC
 
PDF
Zombie DNS
APNIC
 
PDF
Measuring the End User
APNIC
 
PDF
NANOG 74: That KSK Roll
APNIC
 
PDF
How Greta uses NATS to revolutionize data distribution on the Internet
Apcera
 
ZIP
DNS Cache Poisoning
Christiaan Ottow
 
PDF
Network
Ynon Perek
 
PDF
IETF 112: Internet centrality and its impact on routing
APNIC
 
PPTX
What to consider when monitoring microservices
Particular Software
 
PDF
The curse of the open recursor
Tom Paseka
 
PPTX
Intel aspera-medical-v1
dkumiaspera
 
DOCX
Build your own cloud server
Randall Spence
 
PDF
DYNAMIC HOST CONFIGURATION PROTOCOL
VENKATESHAN A S
 
DNS-OARC 34: Measuring DNS Flag Day 2020
APNIC
 
Experience Using RIR Whois
APNIC
 
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
APNIC
 
RIPE 78: IPv6 reliability measurements
APNIC
 
VNIX-NOG 2021: IPv6 Deployment Update
APNIC
 
IPv6 and the DNS, RIPE 73
APNIC
 
Rolling the Root Zone DNSSEC Key Signing Key
APNIC
 
BSides: BGP Hijacking and Secure Internet Routing
APNIC
 
Zombie DNS
APNIC
 
Measuring the End User
APNIC
 
NANOG 74: That KSK Roll
APNIC
 
How Greta uses NATS to revolutionize data distribution on the Internet
Apcera
 
DNS Cache Poisoning
Christiaan Ottow
 
Network
Ynon Perek
 
IETF 112: Internet centrality and its impact on routing
APNIC
 
What to consider when monitoring microservices
Particular Software
 
The curse of the open recursor
Tom Paseka
 
Intel aspera-medical-v1
dkumiaspera
 
Build your own cloud server
Randall Spence
 
DYNAMIC HOST CONFIGURATION PROTOCOL
VENKATESHAN A S
 
Ad

Similar to NANOG 82: DNS Evolution (20)

PDF
Presentation on 'The Path to Resolverless DNS' by Geoff Huston
APNIC
 
PDF
RIPE 86: DNSSEC — Yes or No?
APNIC
 
PDF
Introduction DNSSec
AFRINIC
 
PDF
DNS Openness
APNIC
 
PDF
Some DNSSEC Measurements, presented at ICANN 82
APNIC
 
PDF
NZNOG 2020: DOH
APNIC
 
PPTX
dnssec_networking_improvement_for_security.pptx
pipopopo3
 
PDF
NZNOG 2013 - Experiments in DNSSEC
APNIC
 
PPTX
IGF 2023: DNS Privacy
APNIC
 
PDF
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
APNIC
 
PDF
Session 4.1 Roy Arends
Commonwealth Telecommunications Organisation
 
PDF
DNS Security
johnmcclure00
 
PDF
Technical and Business Considerations for DNSSEC Deployment
APNIC
 
PDF
NANOG 84: DNS Openness
APNIC
 
PDF
DNS-OARC 38: The resolvers we use
APNIC
 
PPTX
DNS
HogrGoran
 
PDF
Rolling the Root KSK
APNIC
 
PDF
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
APNIC
 
PPTX
Domain Name System and Dynamic Host Configuration Protocol.pptx
UsmanAhmed269749
 
PDF
Measuring the centralization of DNS resolution' presentation by Geoff Huston...
APNIC
 
Presentation on 'The Path to Resolverless DNS' by Geoff Huston
APNIC
 
RIPE 86: DNSSEC — Yes or No?
APNIC
 
Introduction DNSSec
AFRINIC
 
DNS Openness
APNIC
 
Some DNSSEC Measurements, presented at ICANN 82
APNIC
 
NZNOG 2020: DOH
APNIC
 
dnssec_networking_improvement_for_security.pptx
pipopopo3
 
NZNOG 2013 - Experiments in DNSSEC
APNIC
 
IGF 2023: DNS Privacy
APNIC
 
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
APNIC
 
Session 4.1 Roy Arends
Commonwealth Telecommunications Organisation
 
DNS Security
johnmcclure00
 
Technical and Business Considerations for DNSSEC Deployment
APNIC
 
NANOG 84: DNS Openness
APNIC
 
DNS-OARC 38: The resolvers we use
APNIC
 
DNS
HogrGoran
 
Rolling the Root KSK
APNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
APNIC
 
Domain Name System and Dynamic Host Configuration Protocol.pptx
UsmanAhmed269749
 
Measuring the centralization of DNS resolution' presentation by Geoff Huston...
APNIC
 
Ad

More from APNIC (20)

PPTX
APNIC Report, presented at APAN 60 by Thy Boskovic
APNIC
 
PDF
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
PDF
RPKI Status Update, presented by Makito Lay at IDNOG 10
APNIC
 
PDF
The Internet -By the Numbers, Sri Lanka Edition
APNIC
 
PDF
Triggering QUIC, presented by Geoff Huston at IETF 123
APNIC
 
PDF
DNSSEC Made Easy, presented at PHNOG 2025
APNIC
 
PDF
BGP Security Best Practices that Matter, presented at PHNOG 2025
APNIC
 
PDF
APNIC's Role in the Pacific Islands, presented at Pacific IGF 2205
APNIC
 
PDF
IPv6 Deployment and Best Practices, presented by Makito Lay
APNIC
 
PDF
Cleaning up your RPKI invalids, presented at PacNOG 35
APNIC
 
PDF
The Internet - By the numbers, presented at npNOG 11
APNIC
 
PDF
Transmission Control Protocol (TCP) and Starlink
APNIC
 
PDF
DDoS in India, presented at INNOG 8 by Dave Phelan
APNIC
 
PDF
Global Networking Trends, presented at the India ISP Conclave 2025
APNIC
 
PDF
Make DDoS expensive for the threat actors
APNIC
 
PDF
Fast Reroute in SR-MPLS, presented at bdNOG 19
APNIC
 
PDF
DDos Mitigation Strategie, presented at bdNOG 19
APNIC
 
PDF
ICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
APNIC
 
PDF
APNIC Update - Global Synergy among the RIRs: Connecting the Regions
APNIC
 
PDF
Measuring Starlink Protocol Performance, presented at LACNIC 43
APNIC
 
APNIC Report, presented at APAN 60 by Thy Boskovic
APNIC
 
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
RPKI Status Update, presented by Makito Lay at IDNOG 10
APNIC
 
The Internet -By the Numbers, Sri Lanka Edition
APNIC
 
Triggering QUIC, presented by Geoff Huston at IETF 123
APNIC
 
DNSSEC Made Easy, presented at PHNOG 2025
APNIC
 
BGP Security Best Practices that Matter, presented at PHNOG 2025
APNIC
 
APNIC's Role in the Pacific Islands, presented at Pacific IGF 2205
APNIC
 
IPv6 Deployment and Best Practices, presented by Makito Lay
APNIC
 
Cleaning up your RPKI invalids, presented at PacNOG 35
APNIC
 
The Internet - By the numbers, presented at npNOG 11
APNIC
 
Transmission Control Protocol (TCP) and Starlink
APNIC
 
DDoS in India, presented at INNOG 8 by Dave Phelan
APNIC
 
Global Networking Trends, presented at the India ISP Conclave 2025
APNIC
 
Make DDoS expensive for the threat actors
APNIC
 
Fast Reroute in SR-MPLS, presented at bdNOG 19
APNIC
 
DDos Mitigation Strategie, presented at bdNOG 19
APNIC
 
ICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
APNIC
 
APNIC Update - Global Synergy among the RIRs: Connecting the Regions
APNIC
 
Measuring Starlink Protocol Performance, presented at LACNIC 43
APNIC
 

Recently uploaded (20)

PPTX
Cyber Hygine IN organizations in MSME or
paramkiet
 
PPTX
10.2981-wlb.2004.021Figurewlb3bf00068fig0001.pptx
katherinecapunays
 
PPTX
Tìm hiểu về dịch vụ FTTH - Fiber Optic Access Node
VoDuy27
 
PPTX
ECO SAFE AI - SUSTAINABLE SAFE AND HOME HUB
km5624
 
PDF
Paper The World Game (s) Great Redesign.pdf
Steven McGee
 
PDF
Alethe Consulting Corporate Profile and Solution Aproach
debashisrakshit2025
 
PPTX
Top Website Bugs That Hurt User Experience – And How Expert Web Design Fixes
e-Definers Technology
 
DOCX
Powerful Ways AIRCONNECT INFOSYSTEMS Pvt Ltd Enhances IT Infrastructure in In...
Airconnect pvtltd
 
PPTX
AI_Cyberattack_Solutions AI AI AI AI .pptx
zayadeen2003
 
PDF
Lean-Manufacturing-Tools-Techniques-and-How-To-Use-Them.pdf
Turreteng
 
PDF
Buy Cash App Verified Accounts Instantly – Secure Crypto Deal.pdf
pvaonit
 
PPTX
Basic understanding of cloud computing one need
subhosvims
 
PDF
BIOCHEM CH2 OVERVIEW OF MICROBIOLOGY.pdf
tbasharababneh
 
PDF
mera desh ae watn.(a source of motivation and patriotism to the youth of the ...
DtMalhonSharma
 
PPSX
AI AppSec Threats and Defenses 20250822.ppsx
Robert Grupe, CSSLP CISSP PE PMP
 
PDF
KEY COB2 UNIT 1: The Business of businessĐH KInh tế TP.HCM
vannhieu190219
 
PDF
Slides: PDF The World Game (s) Eco Economic Epochs.pdf
Steven McGee
 
PDF
Uptota Investor Deck - Where Africa Meets Blockchain
jjc123linkedin
 
DOCX
Memecoinist Update: Best Meme Coins 2025, Trump Meme Coin Predictions, and th...
memecoinist83
 
PPT
12 Things That Make People Trust a Website Instantly
Shethil Ahammed
 
Cyber Hygine IN organizations in MSME or
paramkiet
 
10.2981-wlb.2004.021Figurewlb3bf00068fig0001.pptx
katherinecapunays
 
Tìm hiểu về dịch vụ FTTH - Fiber Optic Access Node
VoDuy27
 
ECO SAFE AI - SUSTAINABLE SAFE AND HOME HUB
km5624
 
Paper The World Game (s) Great Redesign.pdf
Steven McGee
 
Alethe Consulting Corporate Profile and Solution Aproach
debashisrakshit2025
 
Top Website Bugs That Hurt User Experience – And How Expert Web Design Fixes
e-Definers Technology
 
Powerful Ways AIRCONNECT INFOSYSTEMS Pvt Ltd Enhances IT Infrastructure in In...
Airconnect pvtltd
 
AI_Cyberattack_Solutions AI AI AI AI .pptx
zayadeen2003
 
Lean-Manufacturing-Tools-Techniques-and-How-To-Use-Them.pdf
Turreteng
 
Buy Cash App Verified Accounts Instantly – Secure Crypto Deal.pdf
pvaonit
 
Basic understanding of cloud computing one need
subhosvims
 
BIOCHEM CH2 OVERVIEW OF MICROBIOLOGY.pdf
tbasharababneh
 
mera desh ae watn.(a source of motivation and patriotism to the youth of the ...
DtMalhonSharma
 
AI AppSec Threats and Defenses 20250822.ppsx
Robert Grupe, CSSLP CISSP PE PMP
 
KEY COB2 UNIT 1: The Business of businessĐH KInh tế TP.HCM
vannhieu190219
 
Slides: PDF The World Game (s) Eco Economic Epochs.pdf
Steven McGee
 
Uptota Investor Deck - Where Africa Meets Blockchain
jjc123linkedin
 
Memecoinist Update: Best Meme Coins 2025, Trump Meme Coin Predictions, and th...
memecoinist83
 
12 Things That Make People Trust a Website Instantly
Shethil Ahammed
 

NANOG 82: DNS Evolution

  • 3. Why pick on the DNS? The DNS is used by everyone and everything • Because pretty much everything you do on the net starts with a call to the DNS • If we could see your stream of DNS queries in real time we could easily assemble a detailed profile of you and your interests and activities - as it happens!
  • 4. Why pick on the DNS? The DNS is very easy to tap and tamper • DNS queries are open and unencrypted • DNS payloads are not secured and tampering cannot be readily detected • DNS responses are predictable and false answers can be injected
  • 5. Why pick on the DNS? The DNS is hard for users to trace • Noone knows exactly where their queries go • Noone can know precisely where their answers come from
  • 6. What are we doing about this? I’d like to look at this question by grouping our responses into three areas of activity: 1. Adding authenticity to the DNS 2. Increasing the reliance on the DNS for application level rendezvous functions 3. Plugging DNS information leaks
  • 7. 1. Adding authenticity to the DNS 2. Increasing the reliance on the DNS for application level rendezvous functions 3. Plugging DNS information leaks
  • 8. How can you trust the DNS answer? • Send your query to the “right” IP address and you will get the “right answer! Or • Request a digital signature along with the DNS answer and validate the answer using a pre-provisioned trusted key (DNSSEC) 8
  • 9. Is DNSSEC being used? • Yes and No! 9
  • 10. Is DNSSEC being used? • Yes and No! 10 Who validates DNS responses?
  • 11. Is DNSSEC being used? • Yes and No! 11 2014 2016 2018 2020 Who validates DNS responses? 25% of users are behind DNSSEC-validating resolvers who will not resolve a badly signed DNS name
  • 12. Is DNSSEC being used? • Yes and No! 12 Who signs DNS Zones? Public data on the DNSSEC zone signing rate is hard to define, and even harder to come by! ?
  • 13. Problems with DNSSEC 13 • Large DNS responses cause robustness issues for DNS • Getting large responses through the network has reliability issues with UDP packet fragmentation and timing issues with signalled cut-over to TCP • The validator has to perform a full backtrace query sequence to assemble the full DNSSEC signature chain • So the problem is that DNSSEC validation may entail a sequence of queries where each of the responses may require encounter UDP fragmentation packet loss
  • 14. Some More Problems with DNSSEC 14 • Cryptographically “stronger” keys tend to be bigger keys over time, so the issue of cramming more data into DNS transactions is not going away! • The stub-to-recursive hop is generally not using validation, so the user ends up trusting the validating recursive resolver in any case • The current DNSSEC framework represents a lot of effort for only a marginal gain
  • 15. Are we getting better at DNSSEC? There is still a lot of room to improve our DNSSEC story • Reducing validation-chain query delays using DNSSEC Chain responses? • Using “denser” crypto algorithms to limit key and signature sizes? • Using TCP for DNSSEC queries? • NSEC3? Really? • NSEC5? YMBK! 15
  • 16. Authenticity in the DNS • DNSSEC Validation cannot not prevent DNS eavesdropping, interception or tampering – all it can do is withhold DNS responses that are not “genuine” • DNSSEC adoption is a trade-off in terms of additional costs of added points of fragility, added delay and load points balanced against the increased assurance of being able to place trust that the DNS responses are authentic 16
  • 17. 1. Adding authenticity to the DNS 2. Increasing the reliance on the DNS for application level rendezvous functions 3. Plugging DNS information leaks
  • 18. It used to be so simple • Query the DNS with a service name • Get a response with the IP host address where the service is located • Use the application to negotiate a service with the addressed host • All services that share a common name share a common host 18
  • 19. But we wanted more: • We wanted to make a distinction between the service name and the platform that hosted the service • We wanted to have different services accessible using the same service name • We wanted a collection of platforms to deliver the service associated with a single service name • We wanted to outsource different services to different service providers • We wanted to steer the user to the “right” service provider for each user • And we wanted it to be FAST! • The concept of “go anywhere first and get redirected to an optimal service delivery point” is considered to be not FAST 19
  • 20. So we added Bells and Whistles • Put all of this optimisation into the DNS by: • Mapping the service names to host names • CNAME, DNAME and ANAME • None of these are very satisfactory! • The SRV record • This is either a swiss army knife or a chain saw massacre! • Add the service name (port) and protocol (transport) to the service name and use this as the query • And get the DNS response to come back with a collection of service delivery points • The Client Subnet query extension • Tag the query with the querier to permit tailoring of the service response in the DNS rather than in the application 20
  • 21. More Bells (and Whistles!) • SVCB and HTTPSSVC Resource Records • The “mega” response that can provide Application Level Protocols, IPv4 and IPv6 addresses, ESNI key, priority • Oh, and yes, there is an “alias form” that allows alias mapping at a zone apex 21
  • 22. It’s faster, but… • But as we add more instrumentation to the DNS, it becomes a generic rendezvous tool, where a client forms a query based on an intended service access and the DNS response provides a set of service connection parameters that is potentially tailored to optimise the delivered service • This means that real time knowledge of a user’s DNS queries is synonymous to knowledge of a user’s immediate intentions • Which means that the DNS privacy issues become even more critical 22
  • 23. 1. Adding authenticity to the DNS 2. Increasing the reliance on the DNS for application level rendezvous functions 3. Plugging DNS information leaks
  • 24. Plugging the DNS leakage • Query Name Minimisation to reduce the extravagant chattiness of the DNS resolution process on the recursive to authoritative path • DNS over TLS on the stub to recursive path • Channel protection, remote end authentication and transport robustness • DNS over HTTPS (/3) on the stub to recursive path • Channel protection, remote end authentication, transport robustness and HTTP object semantics • Oblivious DNS over HTTPS (/3) on the stub to recursive path • Hide the implicit end point identity / query name association leakage 24
  • 25. Coming soon? • Extending DNS channel protection to the recursive to authoritative hops (Although this may be tougher than it looks at first!) 25
  • 26. Scaling with Encrypted Channels • Session level encryption involves session establishment and maintenance overhead • Typically this entails a TCP overhead (direction or within a QUIC envelope) and a TGLS overhead • This can be amortised through session reuse • Session reuse is most effective on the stub to recursive paths • The secure Web infrastructure points to ways that we can scale an encrypted DNS infrastructure, but the economics of the DNS are somewhat different than those of the web 26
  • 27. Will all this be deployed? 27
  • 28. Can we do this? • Pretty clearly we have most of the tools available to achieve all of these objectives • Leverage TLS to provide session level encryption • Leverage HTTPS to push stub resolution functions into applications • Use the DNS HTTPSSVC to provide the ESNI key • Yes we can! 28
  • 29. Will we do this? • This is a far more challenging question! 29
  • 30. If HTTPS worked, why not DoH? • Any change to the DNS that requires user configuration, or a change of CPE behaviour will not be easy to gather deployment momentum • There is no untapped financial return in DNS resolution, so this is not an activity that has strong commercial impetus • Many public environments use DNS oversight and alteration as a means of content moderation. There is little appetite to make that harder • Browser vendors have far more limited leverage in the DNS, as compared to content delivery over HTTP
  • 31. The DNS Economy • In the public Internet, end clients don’t normally pay directly for DNS recursive resolution services • Which implies that outside of the domain of the local ISP, DNS resolvers are essentially unfunded by the resolver’s clients • And efforts to monetise the DNS with various forms of funded misdirection (such as NXDOMAIN substitution) are generally viewed with extreme disfavour • Open Resolver efforts run the risk of success-disaster • The more they are used, the greater the funding problem to run them at scale • The greater the funding problem the greater the temptation to monetise the DNS resolver function in more subtle ways
  • 32. The DNS Economy • The default option is that the ISP funds and operate the recursive DNS service, funded by the ISP’s client base • 70% of all end clients use same-AS recursive resolvers * • However the fact that it works today does not mean that you can double the input costs and expect it to just keep on working tomorrow • For ISPs the DNS is a cost department, not a revenue source • We should expect strong resistance from ISPs to increase their costs in DNS service provision • The DNS is also highly resistant to changes in the edge infrastructure 32 * https://stats.labs.apnic.net/rvrs
  • 33. Where is this heading? • Will any of these privacy approaches becomes mainstream in the public Internet?
  • 34. My Opinion • ISP-based provisioning of DNS servers without channel encryption will continue to be the mainstream of the public DNS infrastructure • Most users don’t change their platform settings from the defaults and CPE based service provisioning in the wired networks and direct provisioning in mobile networks will persist
  • 35. My Opinion • ISP-based provisioning of DNS servers without channel encryption will continue to be the mainstream of the public DNS infrastructure • Most users don’t change their platform settings from the defaults and CPE based service provisioning in the wired networks and direct provisioning in mobile networks will persist • But that’s not the full story...
  • 36. “Split” DNS • Is appears more likely that applications who want to tailor their DNS use to adopt a more private profile will hive off to use DoH to an application-selected DNS service, while the platform itself will continue to use libraries that will default to DNS over UDP to the ISP- provided recursive DNS resolver • That way the application ecosystem can fund its own DNS privacy infrastructure and avoid waiting for everyone else to make the necessary infrastructure and service investments before they can adopt DNS privacy themselves • The prospect of application-specific naming services is a very real prospect in such a scenario
  • 37. It’s life Jim, but not as we know it!* • The overall progression here is an evolution from network-centric services to platform-centric services to today’s world of application- centric services • It’s clear that the DNS is being swept up in this shift, and the DNS is changing in almost every respect • The future prospects of a single unified coherent name space as embodied in the DNS, as we currently know it, for the entire internet service domain are looking pretty poor right now! * With apologies to the Trekies!